The NERC CIPs – Why the North American Electric System is NOT Cyber Secure

The NERC CIPs were drafted from a compliance rather than security perspective. Consequently, this has led to unintended consequences to both cyber security and grid reliability. I want to focus on limitations of the NERC CIPs and how it is contributing to the lack of cyber security, and worse, reducing the reliability of the North American electric system (generation, transmission, and distribution). Hopefully, the redrafting effort currently underway will address these limitations. No distribution – This exclusion effectively guts any consideration of security for the Smart Grid which is primarily distribution and customers. It also excludes reality that “high voltage” distribution communicates with “low voltage” transmission. We have already had at least two major outages due to distribution cyber incidents. How can this exclusion maintain grid reliability? No telecom – I am waiting to hear even one logical argument for excluding telecommunications from a cyber security assessment. Can any competent security person imagine doing that for an IT assessment? Even the NERC ES ISAC recognized this by providing a document on the SQL Slammer Worm where it affected frame relays and SCADA communications (issued BEFORE the NERC CIPs were approved). Excluding telecom is also inconsistent with the recommendations from the 2003 Northeast Outage Final Report. Additionally, there have been telecom-based cyber incidents that have affected substation protection devices. How can this maintain grid reliability? No nuclear – NRC is responsible for nuclear safety. However, the non-nuclear portion of a nuclear plant is what provides the power to the grid. Considering that nuclear plants represent approximately 20% of the power generation in the US and they do it in “big chunks” (roughly 1000MW/unit), loss of nuclear power is critical to the reliability of the bulk electric grid. Consequently, there are on-going efforts with NRC, FERC, and NERC to address this exclusion. Routable protocols only – Often, 75-80% of an electric utility’s control system communications are via non-routable protocols such as serial and radio. These non-routable protocols can also be cyber vulnerable. However, many utilities are now pulling their IP connections so they will not be considered a NERC Critical Asset while ignoring non-routable protocols. They are making the grid less reliable or why would they have installed IP in the first place. What does this mean for the Smart Grid where the Stimulus Bill recommends use of IP? Critical Asset Identification - Utilities are to use a risk-based assessment to identify their Critical Assets that will go through the NERC CIP evaluation process (CIP 003-009). Since there is no criteria for what justifies an acceptable risk-based assessment, many utilities are using their risk assessment process to “justify” having very few (sometimes ZERO) NERC Critical Assets. In fact, it is conceivable that a blank piece of paper with the words risk-based assessment as a title could apply – this what the “NERC CIP Road Show” was telling people several years ago. Black start generators are explicitly identified in CIP-002 as a NERC Critical Asset as they are needed for grid restoration. Thanks to the NERC CIPs, we now have generators no longer providing black start capability so they will not be considered a NERC Critical Asset. How does this maintain grid reliability? Inappropriate Cyber Security Policies and Training - The requirement for a cyber security policy does not require it to be appropriate- that is, for control systems. There have been numerous control system cyber incidents with significant impacts such as shutdown of nuclear plants, damage to equipment, etc that did NOT violate IT security policies. The same lack of specificity applies to Awareness and Training requirements. What good are the wrong policies and programs? What else is deficient with the NERC CIPs? - Almost all new control system technologies for generation, transmission, or distribution will be cyber-sensitive. The inadequacies of the NERC CIPs will magnify this problem. - Federal power agencies such as TVA and BPA are required by Federal Law to meet the NIST cyber security standards which are more rigorous than the NERC CIPs. This makes all non-federal utilities that electronically interconnect with federal utilities weak links. - Legacy control systems can, and have been impacted by penetration testing. A CIP-007 requirement is to determine open ports and services which implies penetration testing. - Many of the control system cyber incidents were not due to typical IT security vulnerabilities.  Consequently, the NERC CIPs would not have prevented them. What is needed? - Use the NIST framework and assess all interconnected systems – no exclusions!   - Reassess the NERC CIPs, either on a scheduled annual basis, or whenever a significant cyber incident occurs to make sure the CIPs remain relevant. Joe Weiss